Autonomous AI agent powered by Claude 3.5 Sonnet for intelligent dependency management
Stop manually reviewing dependency updates. Let Claude AI do it for you.
LLM Dependency Bot uses true agentic AI to analyze dependency update PRs, gather additional context through autonomous tool use, and make intelligent merge decisions - all explained in natural language.
- 🧠 LLM-Powered Decision Making - Claude 3.5 Sonnet as the reasoning engine
- 🔧 Autonomous Tool Use - Fetches release notes, checks CVEs, analyzes diffs
- 📊 Risk Assessment - Categorizes updates by risk level (low/medium/high/critical)
- 🤖 Explainable AI - Every decision includes detailed natural language reasoning
- ⚡ Zero Config - Works out of the box with sensible defaults
- 🎯 Highly Configurable - Customize behavior for your workflow
- 🔒 Safe by Default - Conservative approach, human approval for risky updates
- 📈 Supports All Ecosystems - npm, pip, Docker, GitHub Actions, and more
🤖 LLM Dependency Bot - Autonomous AI Agent
Powered by Claude 3.5 Sonnet
======================================================================
✅ Confirmed PR #123 is a dependency PR
📊 Gathering context for PR #123...
✓ Author: dependabot[bot]
✓ Labels: dependencies, javascript
✓ CI Status: success
✓ Update: axios 1.6.0 → 1.6.1
✓ Type: patch
🤖 Asking Claude to analyze PR #123...
💭 Claude iteration 1...
🔍 Claude requesting release notes for axios 1.6.1...
💭 Claude iteration 2...
📋 Decision: auto_merge
⚖️ Risk: low
🚀 Executing action: auto_merge...
🔀 Auto-merging PR #123...
✅ Successfully merged PR #123
======================================================================
✅ LLM Dependency Bot completed successfully
======================================================================
Create .github/workflows/llm-dependency-bot.yml:
name: LLM Dependency Bot
on:
pull_request:
types: [opened, synchronize, reopened]
workflow_run:
workflows: ["CI"] # Wait for your CI to complete
types: [completed]
jobs:
auto-merge:
# Only run for dependency PRs
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
permissions:
contents: write # Merge PRs
pull-requests: write # Comment and label
checks: read # Read CI status
steps:
- uses: SeanZoR/llm-dependency-bot@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}- Get your API key from Anthropic Console
- Add it to your repo: Settings → Secrets and variables → Actions
- Create secret:
ANTHROPIC_API_KEY
The bot will now automatically analyze all dependency PRs and:
- ✅ Auto-merge safe updates (patch/minor with passing CI)
- 👤 Request review for risky updates (major versions, breaking changes)
- ❌ Block problematic updates (failing CI, known vulnerabilities)
┌─────────────┐
│ PERCEIVE │ Gather PR context, CI status, dependency info
└──────┬──────┘
│
▼
┌─────────────┐
│ DECIDE │ Claude analyzes context
└──────┬──────┘ ├─ Can use tools autonomously:
│ │ • fetch_release_notes()
│ │ • check_cve_database()
│ │ • analyze_diff()
│ └─ Returns decision + reasoning
▼
┌─────────────┐
│ ACT │ Execute decision:
└─────────────┘ • AUTO_MERGE - Merge with explanation
• REQUIRE_APPROVAL - Request human review
• DO_NOT_MERGE - Block with reasoning
Unlike rule-based automation, this bot:
- Uses LLM for reasoning - Not just pattern matching, but contextual understanding
- Autonomously gathers info - Claude decides when to fetch release notes or check CVEs
- Adapts to context - Same update type might get different decisions based on nuances
- Explains itself - Natural language reasoning for every decision
Example: A major version update might be auto-merged if Claude determines it's backwards compatible by reading the release notes.
- uses: SeanZoR/llm-dependency-bot@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
auto-merge-enabled: true
merge-method: squash # or: merge, rebase- uses: SeanZoR/llm-dependency-bot@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
# Critical dependencies requiring extra scrutiny
critical-dependencies: 'react,next,fastapi,langchain'
# Merge method
merge-method: squash
# Enable/disable auto-merge
auto-merge-enabled: trueClaude uses this framework (but can reason beyond it):
| Update Type | CI Status | Decision | Risk |
|---|---|---|---|
| Patch (1.0.0 → 1.0.1) | ✅ Pass | Auto-merge | Low |
| Minor (1.0.0 → 1.1.0) | ✅ Pass | Auto-merge* | Low-Medium |
| Major (1.0.0 → 2.0.0) | ✅ Pass | Review | High |
| Any | ❌ Fail | Block | Critical |
| Security update | ✅ Pass | Auto-merge | Low |
| Critical dependency | ✅ Pass | Review | Medium-High |
*Minor updates auto-merge only if no breaking changes detected
Scenario: Dependabot opens a PR for axios 1.6.0 → 2.0.0 (major update)
What the bot does:
- Perceives - Gathers CI status, sees it's a major update
- Decides - Claude thinks:
- "Major version - typically risky"
- "Let me check the release notes..." → Uses
fetch_release_notes()tool - Reads: "Version 2.0 is fully backwards compatible, just drops IE11 support"
- "CI passing, backwards compatible, not critical dependency"
- Decision: AUTO_MERGE (Low risk)
- Acts - Merges with structured explanation:
| Decision | Risk | Update |
|----------|------|--------|
| ✅ **Auto-merge** | 🟢 LOW | `1.6.0` → `2.0.0` (major) |
<details>
<summary><b>📊 Evidence & Analysis</b></summary>
**Tools Used:**
- ✓ Fetch Release Notes
- ✓ Analyze Diff
**Key Findings:**
- Backwards compatible API (confirmed from release notes)
- Only drops IE11 support, no functional breaking changes
- CI passing (all 127 tests successful)
- No critical security advisories
**Metrics:**
- **Dependency:** `axios`
- **Files Changed:** 2
- **Files:** `package.json`, `package-lock.json`
- **CI Status:** success
</details>
<details>
<summary><b>🤖 Claude's Detailed Reasoning</b></summary>
While this is a major version update, the release notes indicate it is fully
backwards compatible with version 1.x. The only breaking change is dropping
Internet Explorer 11 support, which does not affect this project. CI checks
are passing with all tests successful. Safe to merge.
</details>
🤖 *Powered by Claude 3.5 Sonnet*Add domain-specific tools for your use case:
def _check_performance_impact(self, dependency: str, version: str) -> str:
"""Custom tool: Check if update impacts performance"""
# Run benchmarks, check bundle size, etc.
return results
# Register in _get_tools_definition()
tools.append({
"name": "check_performance_impact",
"description": "Analyze performance impact of the update",
"input_schema": {...}
})See docs/TOOL-USE-GUIDE.md for detailed examples.
Fork and modify the system prompt in src/agent.py to match your risk tolerance:
AGENT_SYSTEM_PROMPT = """You are an expert dependency management agent...
Additional rules for my organization:
- Never auto-merge database library updates
- Always require review for Python 2→3 migrations
- Prioritize security updates even if CI fails
..."""- Architecture Guide - How the agent works internally
- Tool Use Guide - Extending with custom tools
- Prompt Engineering - Customizing AI behavior
- Examples - Real-world usage examples
We love contributions! See CONTRIBUTING.md for:
- How to set up your development environment
- Code style guidelines
- How to submit PRs
- Feature roadmap
- API Keys - Never commit API keys. Always use GitHub Secrets
- Permissions - Bot needs minimal permissions (contents:write, pull-requests:write, checks:read)
- Transparency - All decisions are logged and explained
- Audit Trail - Every merge includes Claude's reasoning in the commit message
See SECURITY.md for reporting security issues.
Claude API costs are very low for this use case:
- Average cost per PR: $0.01 - $0.05
- With 50 dependency PRs/month: ~$2.50/month
- Free tier: Anthropic offers free credits for testing
Compare to:
- Engineer time reviewing deps: $50-100/hour
- Cost of missing a security update: 🚨
| Feature | Dependabot Auto-merge | LLM Dependency Bot |
|---|---|---|
| Decision making | Simple rules | AI reasoning |
| Context awareness | Limited | Reads release notes, CVEs |
| Explanations | Generic | Detailed, specific |
| Adaptability | Fixed rules | Learns patterns |
| Breaking change detection | No | Yes (via release notes) |
- All decisions are transparent and explained
- You can always manually override (merge/close PR)
- The bot is conservative - defaults to human review when uncertain
- You can adjust the system prompt to be more/less aggressive
Yes! The bot detects PRs from both Dependabot and Renovate.
Absolutely! The bot analyzes each PR individually and understands the context.
All of them! The bot works with:
- JavaScript/TypeScript (npm, yarn, pnpm)
- Python (pip, poetry)
- Ruby (bundler)
- Go (go modules)
- Rust (cargo)
- Docker
- GitHub Actions
- And more...
- Multi-agent collaboration (security agent + compatibility agent + performance agent)
- Learning from outcomes (track merge success/failure)
- Real CVE database integration (Snyk, GitHub Security)
- Real release notes fetching (npm, PyPI, GitHub Releases)
- Performance impact analysis
- Dependency tree impact analysis
- Custom notification channels (Slack, Discord)
- Web dashboard for analytics
MIT License - see LICENSE for details
- Anthropic - For Claude 3.5 Sonnet, the LLM powering this bot
- GitHub - For the Actions platform and Dependabot
- Community - For feedback and contributions
- 📖 Documentation
- 🐛 Issue Tracker
- 💡 Discussions
- 🌟 Star this repo if you find it useful!
Built with ❤️ for the developer community
Powered by Claude 3.5 Sonnet - The AI that understands code
LLM Dependency Bot is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
LLM Dependency Bot is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.